On Sat, Apr 08, 2006 at 03:21:05PM +0200, Marek Podmaka wrote:
> So what it is? People (no, they aren't hackers :) try to use your resources
> for their "actions". These scripts are mainly irc bots waiting for commands
> and can perform actions like googling for other vulnerable servers, doing
> udpflood and so on. So part of the solution is to block port 6667 in
> firewall :)
I think in most situations it is best to block all outgoing connections and
open those that are necessary. This will make most attacks very difficult.
> Solutions (please contribute if you have any ideas):
> 1) /tmp noexec, better also /var/tmp (not useful if evil executes "perl
> /tmp/.evilscript")
Also /dev/shm.
> 4) use wrapper for emails - I have one which includes special headers to
> mails sent from php, I'm going to modify it to support limits on no. of
> mails sent in timeframe
I hope you share this.